The Nebula certificates are created with expirations that match the Platform based certificate policy. The Nebula CA Certificate is issued with a 10-year expiration while the node certificates have a 3-year expiration. A specific node’s certificates (private/public) can be reissued and applied via the following command:

nw-create-cloud-hybrid --reissue-node-certs





UUID of the specific node (Required)


Optional Name of deployment model in template

defaults to pre-defined 'gcp default'


Optional Cloud Service Account Json-based key data path

GCP will default to /root/.gcp/gcp-auth-token.json

This command replaces the Nebula certificates for the specified node in the SASE Deployment.